Apple, FBI Tussle Puts Bull's-Eye on iPhone

By John P. Mello Jr.
Apr 7, 2016 5:00 AM PT

The battle between the FBI and Apple over access to the iPhone of San Bernardino, California, killer Syed Farook came to an abrupt end last week when the agency announced it no longer needed the company's assistance to crack the device.

Since the U.S. Department of Justice delayed a hearing on an order to force Apple to assist the FBI in brute-forcing the password on Farook's phone, speculation has spread about how the agency planned to access the data on the device without the help of the iPhone's maker.

A number of news reports identified
Cellebrite as a likely ally of the FBI in breaking the phone's password.

That guess is a good one, said Stephen Coty, the chief security evangelist at
Alert Logic. Cellebrite has a team of mobile forensic experts who have developed processes to unlock iPhones for their customer base.

"Cellebrite has many proprietary tools that they use for forensics investigations," he told TechNewsWorld.

In Hackers' Crosshairs

Most forensic tools make a snapshot of a phone and then attempt to crack the copy so as to not tamper with the actual evidence, Coty said. "Making a copy of the phone would allow you to have as many tries to unlock it without worry of a data wipe."

In its litigation, the FBI wanted Apple to disable a feature on Farook's iPhone that would erase all data on it after 10 erroneous password attempts.

Now that the FBI has found a way to crack Farook's iPhone, Apple may want the courts to do some compelling on its behalf. Apple attorneys are huddling to find a way to force the FBI to reveal how it broke the password, according to the Los Angeles Times.

What's more, all the publicity generated by Apple's squabble with the FBI may create more worry for the company down the road, according to Coty.

"I've been following some of the stuff that's being posted on the underground, and more and more people are coming up with techniques to unlock the iPhone," he said.

"This case has put a target on the iPhone," Coty added.

API Security

Mobile APIs, or application programming interfaces, have become a critical component of the Internet's infrastructure. With the growth of the Internet of Things, which will add millions of new devices to the Net, they will become even more important.

As their importance increases, though, so too does the concern over their vulnerability to attack by cyberbandits.

While APIs are no less or more insecure than other parts of the Net's infrastructure, developer ignorance can make them more insecure.

"What people have to realize is when you build an application that talks to a service over the Internet, you've created an API," explained Greg Brail, chief architect at
Apigee.

"If we look at a lot of the things that have gone wrong with API security recently, it's because someone built a mobile app, and they didn't realize they created an API, and they failed to use some of the security practices that you expect to have on an API," he told TechNewsWorld.

"As a result," Brail continued, "not only did they create an insecure mobile app, but they created an insecure API."

Bad ID Management

Some of the most common attacks on APIs involve flaws in authentication.

For example, the IRS had a service accessible through an API for taxpayers to obtain tax account transactions or line-by-line tax return information for a specific tax year. To request that data, a visitor to the IRS website needed three pieces of information: address, Social Security number and date of birth.

"Millions of Americans have had that information stolen from them, so attackers were able to use that information to get access to people's private tax data," Brail said.

"The biggest things we've seen go wrong is people either not putting any authentication on the API at all or tying it to an identity management solution that doesn't handle all the security aspects correctly," he added.

How safe are APIs for private data?

"Compared to the alternatives to APIs, they can be made very secure, if you follow the right techniques -- and arguably more secure than some other things, like Web apps," Brail said.

Behavioral Biometrics Redux

We've
written before about how keyboard strokes, mouse movements and hardware details can be used to fingerprint a person and authenticate identity online.

Those solutions typically require monitoring a user's behavior from the cloud, but a company called
TeleSign has taken a slightly different slant on the technology to help developers create more secure applications.

Traditional biometrics, which uses body parts -- fingers, eyes and faces -- doesn't work very well with online commerce. Not only does it create a privacy nightmare, but it also creates the nemesis of all e-commerce companies: friction.

"Behavioral biometrics are more suitable for an online consumer account," said Sergi Isasi, director of product management at TeleSign.

"It's easier to enroll the user because the user doesn't do anything different when they enroll," he told TechNewsWorld, "and you're not asking the user to do anything they would feel uncomfortable with, like taking a picture of their eye on their phone."

Privacy Concerns

Depending on the application, TeleSign's behavioral biometrics solution is offered as JavaScript (Web application) or an SDK (mobile application).

"The developers would integrate our application into their application, and it would track the user's behavior across activities -- logging in, navigation, entering text and purchasing an item," Isasi said.

TeleSign's app sends the user-behavior data to its cloud where the information is analyzed and scored. The score tells a merchant how similar the actions are to the user's previous actions.

Scores can be generated at various decision points during a user's session, so there are multiple opportunities to detect hinky behavior.

While TeleSign's solution is frictionless to users, it's also invisible to them. That means it's collecting information about them, in most cases, without their knowledge.

That's not a problem because the information isn't linked to a user by name, Isasi maintained. Nevertheless, some TeleSign users aren't taking any chances about potential misunderstandings about data collection.

"Some of our customers are asking for consent permissions from their users," Isasi said, "but that's up to the customer."

Breach Diary

March 28. FBI says it has cracked iPhone of Syed Farook, one of two shooters who killed 14 people in San Bernardino, California, in December.

March 28. MedStar Health, a health care provider in the Washington, D.C., area, takes its computer systems offline after discovering a virus preventing some of its users from logging on to their systems.

March 28. Akram Aleeming acknowledges an error at a website he was developing for Thai police leaked the personal details of more than 2,000 foreign nationals living in southern Thailand onto the Internet.

March 28. Doritex, an industrial launderer in western New York, and Kallus Opraments, a website developer, are fined US$95,000 by state Attorney General's Office for a website error that exposed more than 500 employment applications on the Internet.

March 28. University of Central Florida reports expenditure of $109,364 for notifying 63,000 students and former employees that their confidential information was compromised in a data breach in February.

March 28. CardHub releases a survey finding 42 percent of retailers have not installed payment terminals that accept chip-enabled payment cards, and 56 percent of consumers say they don't care if a retailer has chip-enabled terminals.

March 29. National Consumers League launches redesigned Fraud.com website, which includes a portal on data breaches.

March 29. Ryman Hospitality Properties, parent of the Grand Ole Opry, states tax information of anyone who received a W-2 form from the company in 2015 is at risk after the information was emailed to a scammer posing as a corporate officer.

March 29. Kentucky State University alerts current and former employees their tax information for 2015 is at risk after their W-2 forms were emailed to a scammer posing as a university official.

March 30. The Guardian reports that the U.S. and the UK will simulate a cyberattack on a nuclear power plant sometime this year.

March 30. Norfolk Admirals hockey team in Virginia says names, addresses and email addresses of some 250 customers were posted to the Internet after a data breach of its computer systems.

March 30. Law firm Cravath Swaine & Moore states its computer systems were breached last summer and that it is unaware of any of the affected information was used improperly.

March 31. The Sydney (Australia) Morning Herald reports a database containing private information for more than a million customers of Menulog, an online takeout service, has been exposed to the Internet because of an access control flaw.

March 31. Amherst, Ohio, police say they posted online for several weeks the Social Security numbers of 30 people while they were learning a new records-management system.

Upcoming Security Events

April 7. Every Organization of Every Size in Every Industry: What Are Your Breach Risks and Gaps? 2 p.m. ET. Webinar by ID Experts. Free with registration.